William Regli, Ph.D.Director of the Institute for Systems Research at the Clark School of Engineering, Professor of Computer Science at the University of Maryland at College ParkA New Type of ThinkingFriday, June 22, 2018Life Sciences Center 10511:00 AM

The Conference will conclude at 2:00 p.m. Bus service back to the Courtyard by Marriott will be provided at this time.

Training Session Abstracts

Into the Cloud: A Hands-on Workshop Exploring the Pros and Cons of Hosting Servers in Public, Private, and Hybrid CloudsAdam Goldstein

Low cost, ease of use, and minimal infrastructure requirements are just some of the reasons that make hosting servers in the cloud an attractive proposition. However, there are many security concerns and technical limitations that institutions must consider when assessing the potential benefits of cloud server offerings. This seminar will use interactive exercises to explore these concerns and what institutions and the leading providers are doing to mitigate the security risks. These will include implementation of new security controls and the use of private and hybrid Clouds. In addition, a decision making method will be presented that will assist institutions in determining which services may be good candidates for the cloud.

This presentation will demonstrate how to develop realistic security policy which is risk-based. Typically, organizations have narrative security policy documents which simply state the "do's and don'ts" across a myriad of security related processes, both IT and non-IT. The elements contained in these policies are not categorized by stringency of control, nor are they correlated to risk mitigation. Dartmouth's approach is based on the coupling of two critical elements:

security controls, presented in a matrix format, each control rated as to its relative strength, and mapped to regulatory and industry standard (ISO 27002, HIPAA, FERPA, etc)

information management models, where departments do risk assessments of the information they work with, with each information object risk-rated using a numeric scale

Policy is implemented based on a join of these two elements, which ensures that policy controls are deployed in a cost-effective, risk-based manner.

Talk Abstracts

We in higher education have limited capability to influence IT policy, and we who work in IT have limited capability to influence campus policy. So we have to choose where to spend our policy chips. But everything relates to everything else, so we can't. Simply continuing as we have won't work. The issues are becoming more numerous and complicated. I'll outline some of the challenges we face, the options for addressing them, and the choices that are emerging.

Three Approaches to Awareness: Unified Messaging, Local Responses, and National Cybersecurity Awareness MonthMichael Kaiser

We are only as cyber secure as the weakest link on any network. For people, organizations, government, colleges and universities and others engaged in education and awareness activities that poses considerable challenges. How do we build out our capability to share and disseminate messages that provide clear motivation and methods to stay safe online? How do we saturate the community of users with messages so we know they receive them? Who are the partners critical to these efforts?

This presentation will look at three efforts underway that attempt to bring some answers to these questions—a messaging campaign, a local collaboration on cybersecurity, and National Cybersecurity Awareness Month.

Characterizing the Cyberthreat LandscapeMatthew Devost

Are we currently in a state of dynamic cyberconflict or is the threat overhyped? While it may be difficult to discern the truth based on current political discourse and media coverage, the truth currently lies somewhere in the middle. This presentation will provide an overview of the current threat landscape, how it is changing and how that will impact technology-dependent organizations in the future.

So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by UsersCormac Herley

It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users' rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort.

Looking at various examples of security advice, we find that the advice is complex and growing, but the benefit is largely speculative or moot. For example, much of the advice concerning passwords is outdated and does little to address actual threats, and fully 100% of certificate error warnings appear to be false positives. Further, if users spent even a minute a day reading URLs to avoid phishing, the cost (in terms of user time) would be two orders of magnitude greater than all phishing losses. Thus we find that most security advice simply offers a poor cost-benefit tradeoff to users and is rejected. Security advice is a daily burden, applied to the whole population, while an upper bound on the benefit is the harm suffered by the fraction that become victims annually. When that fraction is small, designing security advice that is beneficial is very hard. For example, it makes little sense to burden all users with a daily task to spare 0.01% of them a modest annual pain.

How Should Colleges Respond to RIAA and Other File Sharing Subpoenas? Ray Beckerman

Colleges should not assume the RIAA's lawyers, or the Courts, know what they are doing; this is all a new, untested landscape where almost no normal litigation has taken place to carve out meaningful precedent

IT departments should be fully engaged to ensure that, in the event an enforceable subpoena must be answered, the information supplied is technically accurate

American Privacy: Can a 19th Century Right Survive 21st Century Technology?Frederick Lane

The right to privacy holds a unique position in American law and society. Unlike most of our other familiar rights, the right to privacy has no roots in the nation's founding documents. Instead, it owes its existence to judicial interpretations of state common law and the underlying intent of the Bill of Rights. The tenuous nature of the right to privacy makes it particularly susceptible to erosion by technological advances, a process that each of us in our own way has accelerated. Our love affair with digital technology -- from the mainframe computer to smartphones -- is in constant tension with our belief in a right to privacy. Can the two concepts co-exist, or will we be forced to choose between processors or privacy?

Break-out Session Abstracts

Botnets, A Look Into Today's Malware Battle FrontMarc Evans

As malware and the internet have evolved, botnets have become core functionality for a large number of malicious actors. This presentation will provide an overview of botnet concepts and then explore a more detailed look at recent trends of both malicious actors and methods being attempted to minimize botnet effectiveness.

Social Media and College Students: Understanding the Millennial Generation's Staying Connected MindsetDavina Pruitt-Mentle

As the first generation to come of age since 2000, the Millennial Generation, or those born after 1980, is often distinguished by the integration of technology throughout their lives. It is well documented that their lifestyles include a plethora of gadgets which include wireless technology and the creation of self-designed media. Several research studies highlight the Millennials' fusion of technology into their social lives.

This session will present an overview of the latest research findings regarding Millennials' use of social networking sites such as Facebook, Twitter, Prezis, and formspring.me, but also note sharing, book rentals and other tools used by students. We will discuss the do's and don'ts for college students when using these sites, and concerns for students, faculty, and administrators alike.

Hacking Tools and the Hacker CurriculumSergey Bratus and Far McKon

As network and internet connections have become more vital to research, business, and day to day life, many institutions have responded by discouraging student exploration and 'play' on university networks. At the same time global competition and the new reliance on networks make it more important than ever that students develop a rich understanding of technology. Students need the room to develop their passion, and learn from mistakes without causing (much) trouble.

Private VPN, 'Capture The Box' networks, and technologies like Agora Link can give students a space to hack for good or bad, and learn voraciously about network infrastructure while ameliorating concerns about collateral network damage from their exploration. Students can also augment existing college IT departments, and through their experience they can develop their skills, and extend IT capabilities.

This talk will give a short background on the link between students & hacking, offer some ideas and suggestions for giving students freedom to hack and play within a academic network, and give some insight into related projects under development in the hackerspace community. We will also suggest some good outlines for getting student IT collaborations started.